“The Mask” May Be the World's Most Sophisticated Malware

"Careto," which is a Spanish slang term for "mask" or "ugly face," may be the most sophisticated advanced persistent threat (APT) the planet. It possesses an extremely complex set of tools that can attack Windows, Mac OS X and Linux along with rootkit and bootkit elements. The Mask has claimed victims in 31 countries, and it has targeted government institutions, diplomatic embassies, energy companies, research institutions, private equity firms and activists.

The Mask is one of the most advanced cyber security threats ever created. This leads cyber security experts to speculate that it was created by a nation-state instead of by a rogue attacker. This APT infects computers when users click links contained in spear-phishing emails. It's even signed with a valid SSL certificate to make it seem authentic.

How The Mask Was Exposed

Kaspersky Labs discovered the exploit because The Mask tries to use an old Kaspersky product vulnerability (which the company has since fixed) to make itself invisible in a computing system. Once a person clicks on a spear-phishing email link, they're directed to a malicious website that infects their computer. The infected computer is then redirected to a benign website, which could be a news website or a YouTubevideo.

The exploit websites themselves, according to Kaspersky, do not automatically infect their visitors. Instead, the exploits are stored in folders hidden on the websites, which are referenced exclusively in the malicious emails. Kaspersky uncovered three specific websites that appear to contain malware: linkconf.net, redirserver.net and swupdt.com. The folders may be stored within subdomains on these websites, which look like websites for Spanish-speaking newspapers. They also mimic other news sites including The Guardian and The Washington Post.

How It Works

The Mask works by installing either a 32-bit or 64-bit module onto the computing system's architecture. The less sophisticated implant, Careto, collects system information and executes code from the command-and-control infrastructure. Another backdoor, called SGH, works in kernel mode to collect files while maintaining a connection to command-and-control. SGH deploys a keylogger, takes desktop screenshots, collects victims' email messages, intercepts and records Skype conversations, intercepts network traffic and gathers information from Nokia devices. The installer knows whether it's running in a Microsoft Virtual PC or VMware environment.

In addition to Careto and SGH, experts have discovered an SBD backdoor, or a "Shadowinteger's Backdoor." With the SBD backdoor, The Mask connects to its command-and-control server using Port 443. Attackers then access the victim's machine directly, and communication between the machine and command-and-control is both AES-encrypted and uses SHA1 for cross-authentication. Apple has suspended the SBD backdoor domains, but Kaspersky also saw evidence of versions for Linux and Windows.

Murky Origins

Some cyber security experts suspect The Mask may be a zero-day exploit sold by a French company called Vupen, which is known to put together malware and sell it to nation-states and law enforcement. However, Chaouki Bekrar, co-founded of Vupen, issued a statement on Twitter denying Vupen's involvement. Code artifacts suggest Spanish-speaking developers possibly created The Mask.

Most experts rate The Mask as more sophisticated than Duqu, Icefog or Red October, and some have equated it to Flame and Stuxnet. Although the malware developer remains unidentified, the attackers who used The Mask demonstrated a great deal of professionalism as they worked to avoid discovery. For example, they altered access rules to avoid detection, wiped log files instead of deleting them and monitored their infrastructure, shutting down the APT when it was detected.

In addition to seeking out identifiable file types, The Mask had tools to capture file extensions that may be related to custom government programs. It could have also stolen encryption keys, Adobe signing keys and VPN configuration data. Even more disturbing, The Mask proves that APTs are now targeting Mac OS X and Linux, and they have the potential to establish iOS and Android backdoors.

What Happens Next?

The attackers behind The Mask shut down the malware after Kaspersky discovered it, but many questions remain about both who developed it and who was using it to obtain sensitive information. Most of the victims lived in Morocco and Brazil, and it's difficult to tell exactly what the attackers wanted. However, APTs like The Mask underscore a dark new reality: Cyber war is just as real as military war, and it could become just as costly.